In the context of hardening measures, it is a good idea to use the Microsoft published Microsoft Security Baselines to your own server landscape.
This will inevitably have an impact on PKI components. The following is an overview of the expected effects and countermeasures.
Auditing settings
The security baselines bring an auditing policy, which does not include settings for the certification authority (see article "Standard auditing rules for Windows Server operating systems" for a comparison with the standard auditing rules).
The certification authority-specific audit settings must therefore be applied separately to the certification authorities and the associated services. See article "Configuration of security event monitoring (auditing settings) for certification authorities„.
Windows security permissions
- For the certificate registration policy web service, see the article "Required Windows security permissions for the Certificate Enrollment Policy Web Service (CEP)„.
- For the certificate registration web service, see the article "Required Windows security permissions for the Certificate Enrollment Web Service (CES)„.
- For the network device registration service, see the article "Required Windows security permissions for the Network Device Enrollment Service (NDES)„.
- For Certification Authority web registration, see article "Windows security permissions required for Certificate Authority Web Enrollment (CAWE)„.
Other
- The security baselines include rules to prevent outdated (Internet Explorer) or Microsoft undesirable (Google Chrome, Mozilla Firefox) browsers from running. If these browsers are used, the configuration must be adjusted accordingly.
English 
Deutsch
2 thoughts on “Was ist bei der Anwendungen der Microsoft Security Baselines zu beachten?”
Comments are closed.